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A New Complex Situation Creates a Number of Challenges 
to Correctly Identify Targets... 
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How do you accurately identify targets across multiple applications, multiple physical 

locations, multiple terminais and multiple identities? 
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How do you Identify Targets Across Multiple (Virtual) e- 
Identities and Multiple Network Access IDs? 
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Step 1 : Track Usage of All or Suspected Virtual IDs 
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Step 2: Link Virtual IDs to NetWork Access IDs 
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Step 3: Intercept all Traffic from Virtual IDs and Link to 
Physical Person 
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Step 4: Extract Contact List to Understand Links Between 
People 
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Challenge #1 : Identify Targets Using the Steps Previously 
Described 



% New challenges for LEAs 

■ People are no longer linked to physical 
subscriber lines 

■ The same person can communicate in 
several ways: VolP, IM, Webmail, etc. 

■ How to launch interception across all 
communication with a single trigger? 

"j Answer 

■ Identify users and intercept all type of 
communication initiated by the same user 
when a trigger such as “user login” is 
detected 

■ Identify Internet access point and physical 
device of targeted user 

■ Link trigger to IP address, MAC address, 

I MSI , IMEI, etc. 

■ Show all communication on the same 
screen, in real-time: Webmail, Instant 
Messaging, FTP, P2P, Financial 
Transactions 




1 . Trigger = IM activity on 
monitored user login 




2. Link user login to: 

- IP address 

- or IMSI 




3. Intercept IM + Webmail + 
VolP from a particular user 
on a certain PC or mobile to 
a specific person in real- 
time! 
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Challenge #2: Need to Understand Different Applications 
Behind The Same Protocol 



■j HTTP is not only used by Web 
browsing 

■ HTTP is also used by: LiveMail, 
Gmail, YahooMail, 

GoogleEarth, GoogleMap, 

Salesforce, iGoogle, mashups, 
and hundreds of 

other applications... 

A user typically has different IDs 
in different applications 

Answer 

■ Understand all the applications using 
a particular protocol (such as HTTP) 

Deep and stateful analysis of IP 
packets 

Connection context and session 
management 

Connection expiration management 
IP fragmentation management 
Session inheritance management 
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Challenge #3: Ability to Recognize Regional Protocols 



■j Targets may use regional Services 
for Webmail, Instant Messaging, 
Social Networking, etc. 

■ Used by large a number of people in 
local country and local language 

■ Targets can also use Services from 
outside their country of origin, in local 
language or other languages 

■d Answer 

■ Extend protocol expertise to local 
Webmail, Instant Messaging, Social 
Networking, etc. 
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Examples of Regional Protocols 
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Challenge #4: Many Applications have Evolved from their 
Initial Use 



b j Applications are used differently 
than their originally intended 
purpose 

■ File transfer in Skype 

■ Instant Messaging in WOW 

■ Financial transactions in Second Life 

■ Use of “Dead Mailboxes” within 
Webmail => shared storage space and 
folders (same login/password for 
different use rs) 

% Answer 

■ Understand real application usage by 
correlating multiple sessions and 
packets 

■ Ensure a full view of application / 
Service / user, independently of 
protocol 

■-QOSMOS 
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ChaDIenge #5: Recognizing Correct Identity Means Going 
BEYOND OSI Reference Model 



% Users can easily hide their identity 

a ã New, complex communication 
protocols do not follow OSI model 

■ Examples: P2P, Instant Messaging, 
2.5G/3G (GTP), DSL Unbundling, 
(L2TP), VPN (GRE), etc. 

■j Protocols are frequently 
encapsulated 

■ Example: multiple encapsulations in 
an operator DSL network (ATM / 
AAL5 / IP / UDP / L2TP / PPP / IP / 
TCP / HTTP) 

% Answer 

■ Extract user identity information in 
real-time, independently of OSI model 
and dig into encapsulation within 
several complex IP layers 
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Challenge #6: Not Possible to Rely on IANA Ports to Track 
Applications and Users 



% Applications can no longer be 
linked to specific ports 

■ Port 80 = “The crime boulevard” 

■ Skype runs on port 80, port 443, or 
on random ports 

■ RTP does not use predefined ports 

■ SIP negotiates and defines the 
ports used for data communication 
(RTP) 




Use port 1 3718 [ for incoming connections 

I I Use port 80 and 443 as alternatives for incoming connectioní 



Skype Connection Preferences 




■j Answer 

■ Inspect complete IP flows rather 
than “packet by packet” 

■ Track control connections: e.g. FTP 
data, SIP/RTP or P2P traffic 

■ Ensure a full view of application / 
Service / user independently of 
protocol 
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Challenge #7: Adapt Rapidly to New Protocols 



■j Difficult to handle an increasing 
numbers of protocols with dedicated 
ASICs 

■ Long development times (MONTHS) 

■ Limited flexibility 




■j Answer 

■ Use a software-based approach, 

ensuring greater flexibility, easy updates 
and short development time (DAYS) 

■ Shorten lead times to answer quickly to 
mounting threat patterns 

■ Ensure high packet Processing 
performance by using the latest standards- 
based, multi-core architecture 

■ Make the software portable across 
d ifferent hardware platforms 

Appliances, routers, IP DSLAMs, 

GGSNs, Set-Top-Boxes, PCs, etc. 



Gmail 

eDonkey 



YouTube 



QQ MSN 



VmWare 




Oracle 

Skype 

SAP 

BitTorrent 

Citrix 



QOSMOS 



Page 17 



"-QOSMOS 

Your NetWork is Information 



Contents 



1. Identifying Virtual IDs: The Principies 

2. Identifying Virtual IDs: The Challenges 



3. Summary 




Qosmos Legal Intercept Solutions 
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a ã Qosmos and its integrator partners offer a complete interception 
solution including: 

■ Flow classification 

■ Applicative classification 

■ Information extraction 

■ Selective recording 

■ Application transcoding (mail, etc.) 

■ Visualization 
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Summary: lt Is Possible To Accurately Identify Targets! 




SPECIAL OFFER: Getyour free evaluation of ixEngine at the Qosmos booth! 
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NetWork Intelligence: Making Sense out of NetWork Traffic 
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Qosmos Product Portfolio 



QOSMOSh 

ixhnginei 

Information eXtraction Engine 

(Software Libraries) 



ixEngine 

Software suite that enables developers 
to implement powerful NetWork 
Intelligence features in their products 

ixEngine Protocol Plugin Creator 

Specially designed for the creation of 
new/custom protocol plugins 

Product Range 

x86/32bits 
x86/64bits 
RMI XLR 
Cavium Octeon 
Freescale PowerQUICC 
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nformation eXtraction Machines 

(Appliances) 



ixMachine 

Hardware appliances that extract 
extremely fine-grained information 
from the network to feed third-party 
systems 



Product Range 

ixM 10 Series: CPE (~ 10s Mbps) 
ixM 100 Series: Access (~ 100s Mbps) 
ixM 1 000 Series: Edge (~ Gbps) 
ixM 10 000 Series: Core (~ tens of Gbps) 

ixMOS 10 / 100 / 1 000 / 10 000 
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